Skip to main content

Fleet SIEM Testbench

The SigmaShake SIEM testbench at siem.sigmashake.com impersonates every destination the Fleet SIEM adapters support — Splunk HEC, Cribl HTTP-in, Confluent Kafka REST v3, and HMAC-signed webhook — so you can prove your destination configuration is correct before pointing Fleet at your production SIEM.

Each session is self-contained: credentials are minted per-session, captured events live in an inspect dashboard for 24 hours, and a Workers-AI pass reports missing fields, signature mismatches, redaction leaks, or chunk-size drift in natural language.

Quickstart

1. Mint a session

curl -X POST https://siem.sigmashake.com/new-session

The response includes:

  • A 24-hour session_id
  • Per-adapter credentials (hec_token, bearer_token, api_key/api_secret, signing_secret)
  • A fully-resolved endpoints block for each adapter
  • inspect_url and analyze_url for the dashboard and AI pass

2. Configure a Fleet destination

Use the returned endpoints[*].endpoint value (and any session-specific fields like cluster_id, topic) when calling POST /api/siem/destinations in Fleet. Copy the credentials into the credentials object.

Adapterconfig.endpoint example (from new-session)Extra config fields
splunkhttps://siem.sigmashake.com/splunk
criblhttps://siem.sigmashake.com/criblpath: /cribl
confluent_resthttps://siem.sigmashake.com/confluentsession-specific cluster_id + topic
generic_webhookhttps://siem.sigmashake.com/webhook?session=<session_id>

3. Trigger a health check

POST /api/siem/destinations/:id/test in Fleet will send a synthetic health_check event. The testbench records it immediately:

open https://siem.sigmashake.com/inspect/<session_id>

4. Run the AI analyser

curl -X POST https://siem.sigmashake.com/analyze/<session_id>

The response includes per-record findings with severity, field, message, and a fix hint. Typical catches:

  • Wrong webhook credential key. The testbench flags signing_secret vs. hmac_secret mismatches — see the note below.
  • Signature outside replay window. Clock skew > 5 minutes between Fleet and the testbench.
  • Empty batch. Fleet should never deliver zero events.
  • Oversized chunk. Any request over the 900 KB per-POST budget is flagged.

Error injection

Append ?fail=<mode> to any receiver endpoint in your Fleet destination config to exercise the retry path:

ModeResponseExercises
fail=429429 Too Many Requests + Retry-After: 2Fleet backoff + retry
fail=500500 Internal Server ErrorFleet 5xx retry path
fail=502 / fail=503matching statusintermediate-failure retry
fail=timeoutserver holds the request for 30 s then returns 504Fleet's 25 s delivery budget

Each failure is recorded in the inspect dashboard with fail_injected set, so you can correlate Fleet's fleet_siem_delivery_log.attempt_count column against the exact responses you've forced.

Note on the hmac_secret / signing_secret naming

Earlier revisions of Fleet SIEM Log Forwarding referred to the webhook credential as hmac_secret. The actual adapter in sigmashake-fleet/src/lib/siem/adapters/generic_webhook.ts expects signing_secret. The testbench uses signing_secret and surfaces any mismatch in the AI analyser's fix hints.

Endpoint reference

VerbPathPurpose
POST/new-sessionMint a session + credentials
GET/session/:idSession metadata (counts, expiry)
POST/splunk/services/collector/eventSplunk HEC
POST/cribl/*Cribl HTTP-in
POST/confluent/kafka/v3/clusters/:cluster/topics/:topic/recordsConfluent REST v3
POST/webhook?session=<id>HMAC-signed webhook
GET/inspect/:idHTML dashboard (Accept: application/json for JSON)
POST/analyze/:idWorkers-AI diagnostic pass
GET/healthLiveness

Privacy

Captured events are held in Cloudflare KV with a 24-hour TTL and are never written to durable storage beyond that. Each receiver records only a truncated (64 KB) snapshot of the raw body plus a small header subset; the Authorization header value is redacted down to the scheme before display. The signing secret and HEC token are only ever echoed once — in the POST /new-session response — and never appear in the inspect dashboard.